Kerberos problem!
Beck Zoltan Gyula
beckzg at midnight.hu
Thu Feb 19 05:27:44 EST 2004
Hi list members!
I'm trying to configure a kerberos server, I read the documentation and
followed the instructions, but something is wrong I think.
I have two debian sarge linux nodes on intranet (10.0.0.0/24)
with hostnames ha1.aitia and ha2.aitia. Teh kdc and the krb-admin server
is the ha1.aitia.
The krb5.conf looks like:
[libdefaults]
default_realm = INTRA.NET
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
[realms]
INTRA.NET = {
kdc = ha1.aitia
admin_server = ha1.aitia
}
[domain_realm]
.aitia = INTRA.NET
aitia = INTRA.NET
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/var/log/kadmin.log
The kdc.conf looks like:
[kdcdefaults]
kdc_ports = 750,88
[realms]
INTRA.NET = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
I have made some principals:
kadmin: listprincs
beckzg at INTRA.NET
host/ha1.aitia at INTRA.NET
host/ha2.aitia at INTRA.NET
root at INTRA.NET
I have made the ktabbs for the two host:
ktadd -k /etc/ha1.keytab host/ha1.aitia at INTRA.NET
ktadd -k /etc/ha2.keytab host/ha2.aitia at INTRA.NET
then I moved the ha1.keytab to ha1.aitia mashine /etc/krb5.keytab and the
ha2.keytab to ha2.aitia mashine /etc/krb5.keytab.
I installed the ssh-krb5, krb5-user krb5-config libpam-krb5 packages on
each mashine and modified the ssh pam.d configuration to authenticate with
kerberos.
# cat /etc/pam.d/ssh
#%PAM-1.0
auth required pam_nologin.so
auth required pam_krb5.so
auth required pam_env.so # [1]
account required pam_unix.so
session required pam_unix.so
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so
password required pam_unix.so
So I login to ha2.aitia and use the kinit:
beckzg at ha2:~$ kinit
Password for beckzg at INTRA.NET:
beckzg at ha2:~$
On ha1.aitia syslog appears:
==> /var/log/syslog <==
Feb 19 11:21:46 ha1 krb5kdc[424]: AS_REQ (6 etypes {18 16 23 1 3 2})
10.0.0.14: ISSUE: authtime 1077186106, etypes {rep=16 tkt=16 ses=16},
beckzg at INTRA.NET for krbtgt/INTRA.NET at INTRA.NET
Then I try to ssh to ha1.aitia from ha2.aitia:
beckzg at ha2:~$ ssh ha1
beckzg at ha1's password:
why prompt the password? And this is not the kerberos prompt :(
On ha1.aitia log now appears:
==> /var/log/syslog <==
Feb 19 11:24:54 ha1 krb5kdc[424]: TGS_REQ (5 etypes {16 23 1 3 2})
10.0.0.14: ISSUE: authtime 1077186287, etypes {rep=16 tkt=16 ses=16},
beckzg at INTRA.NET for host/ha1.aitia at INTRA.NET
And this is the problem with windows 2000 clients, too :( with ksetup it
is setup the kerberos realm but colud not log in to windows :(
Can somebody help me, what's wrong or any idea?
Best regars
bzg
More information about the Kerberos
mailing list